Getting a 510k deficiency letter for cybersecurity is not a rejection. It is a specific, addressable request from the FDA that tells you exactly what documentation is missing or insufficient. At Blue Goat Cyber, we have guided device manufacturers through this situation repeatedly, and the pattern is almost always the same: the submission had gaps that the FDA’s updated cybersecurity standards now require, and the path forward is more manageable than it feels the moment that letter lands in your inbox. This article breaks down why these letters get issued, what the FDA needs to see in a compliant response, the timelines you are working with, and how to build your documentation package without wasting a single one of your 180 days.
Why the FDA started issuing more cybersecurity deficiencies
The March 2023 policy shift that changed everything
Before March 29, 2023, FDA cybersecurity guidance was largely advisory. Manufacturers were encouraged to follow best practices, but the FDA lacked explicit statutory authority to refuse a 510(k) solely on cybersecurity grounds. Section 524B of the FD&C Act changed that. The Consolidated Appropriations Act of 2023 gave the FDA legal authority to require cybersecurity documentation as a condition of submission, and the October 2023 Refuse to Accept (RTA) policy made clear that submissions without compliant cybersecurity sections would not even enter substantive review. Some submissions made before or shortly after this shift were built on the old expectation. The deficiency letter you received is the FDA telling you that the bar has moved and your documentation needs to meet it.
What a 510(k) cybersecurity deficiency letter actually says
The letter is structured as an Additional Information (AI) request. It cites specific sections of your submission, often quotes directly from FDA guidance or from Section 524B of the FD&C Act, and identifies which required elements were absent or inadequate. One of the most common verbatim citations reads: “you did not provide a software bill of materials (SBOM), including commercial, open-source, and OTS software components as required by section 524B(b)(3) of the FD&C Act.” Other deficiency letters cite inadequate threat modeling, weak authentication documentation, or a missing postmarket cybersecurity plan. Read the letter carefully and number every deficiency. That numbering becomes the backbone of your response.
The documentation gaps that trigger most 510(k) cybersecurity deficiency letters
Incomplete threat modeling and risk analysis
This is the most frequently cited deficiency in cybersecurity AI letters. The FDA flags threat modeling as inadequate when no recognized framework like STRIDE was applied, when threats are identified without mapping exploitation pathways, or when there is no traceability between identified risks and the controls designed to address them. The FDA expects your premarket cybersecurity submission to show how a malicious actor could exploit specific vulnerabilities and what mitigations are in place at each step. Without that traceability, the risk assessment is treated as incomplete regardless of how detailed the narrative looks. A long document with no traceability matrix still fails the standard.
Missing or insufficient SBOM
Under Section 524B(b)(3) of the FD&C Act, an SBOM is now a mandatory element for any cyber device. When it is absent or incomplete, the FDA cites it verbatim and the deficiency is unambiguous. A compliant SBOM must cover all commercial, open-source, and off-the-shelf software components, including dependencies, with version information and provenance data. The FDA expects machine-readable formats, specifically SPDX or CycloneDX, per NTIA minimum elements guidance. A spreadsheet or PDF narrative alone is not sufficient without an accompanying machine-readable file. Both formats support the NTIA minimum elements: supplier name, component name, version, unique identifier, dependencies, author, and timestamp. For practical guidance on producing a compliant SBOM, see complying with the FDA’s SBOM requirements. If your original submission did not include this, it is a foundational gap that needs to be corrected in full before your response is submitted.
Weak or absent postmarket cybersecurity plan
The FDA expects a documented plan that covers how your organization will monitor for vulnerabilities after clearance, issue patches on both regular and out-of-cycle timelines, coordinate vulnerability disclosure with affected parties, and communicate security risks to healthcare delivery organizations. When this plan is missing or vague, the FDA cites it consistently. Under the 2023 Final Guidance, the FDA also recommends incorporating CISA’s Known Exploited Vulnerabilities (KEV) database into your ongoing monitoring process. A one-paragraph statement that the company will “address vulnerabilities as they arise” does not meet this standard. The FDA wants a plan with timelines, roles, and procedures.
Responding to a 510(k) cybersecurity deficiency letter: what FDA expects
Cybersecurity risk management documentation
A complete response includes a risk management file aligned with ISO 14971, a cybersecurity risk management plan that ties identified threats to specific controls, and documentation showing how those controls address the exploitability and impact of each risk. The FDA wants to see that the full device lifecycle was considered: design, development, deployment, and end of support. Risk assessments that only address initial design are not sufficient. Every threat in your threat model needs a corresponding control, and every control needs evidence that it was implemented and tested.
Authentication, encryption, and security controls evidence
If the deficiency cited authentication or encryption gaps, your response must provide detailed technical documentation of the implemented controls. This means showing how access is differentiated by user role (caregiver, administrator, service technician), how data is encrypted at rest and in transit, and how secure boot and firmware validation are implemented. The device’s access pathway limitations and monitoring approach should be covered separately, supported by architecture diagrams and design documentation. A written description alone is not enough. The FDA reviewer needs to see that these controls exist in the device, not just in your plans for it.
Verification, validation, and penetration testing records
For moderate-to-high risk connected devices, the FDA expects penetration testing results, fuzz testing outputs, and vulnerability scan reports as part of the cybersecurity V&V package. These records should be included in your response with a clear explanation of how each finding was remediated. The goal is to demonstrate that security controls function as designed under adversarial conditions, not just during normal operation. If your original submission lacked penetration testing, this work needs to happen before your response is finalized. Submitting incomplete or unvetted test results in response to a deficiency creates more problems than it solves.
The timeline you are working with and how to use it
The 180-day response window and what happens if you miss it
Per FDA policy, 510(k) submitters have 180 calendar days to respond to an AI request. There are no extensions for 510(k) submissions. A late or incomplete response causes the submission to be considered withdrawn, which means starting a new submission and resetting the entire review clock. That outcome costs months and significant resources. Front-load your work: the first 30 to 60 days should be focused on gap assessment, evidence collection, and any testing that needs to be completed. Do not spend the first six weeks in internal debate about whether the deficiency is justified. It is. Address it. For reference on FDA expectations around AI requests and timelines, consult the FDA’s guidance documents.
Using clarification meetings and SIR meetings strategically
Within 10 calendar days of receiving the AI letter, you can request a clarification meeting with the FDA to get specifics on what each deficiency requires. This is worth doing every time. A Special Interactive Review (SIR) meeting can be requested shortly after, and the FDA typically schedules it within three weeks if the request comes within the first 60 days, per FDA Q-Submission and SIR scheduling guidance. These meetings are your opportunity to align on exactly what the FDA expects before you invest weeks building documentation that might miss the mark. Come prepared with specific questions, not open-ended asks. The FDA will tell you what they need if you ask precisely enough. See the FDA’s Q-Submission resources for scheduling and format guidance: FDA Q-Submission and SIR guidance.
Building your response: a practical approach
Structuring your cover letter correctly
The cover letter is not a formality. It is a roadmap for the FDA reviewer, and a well-organized cover letter genuinely accelerates review. It should reference each deficiency by the number or label used in the AI letter, explain what new information is being provided in response to each one, and articulate how that information supports the substantial equivalence determination. Reviewers are working under time pressure just like you are. If they have to hunt through your response to figure out which document addresses which deficiency, that creates friction. Remove the friction.
Assembling your evidence package
A complete 510k cybersecurity deficiency response typically includes the following elements:
- Updated threat model with full STRIDE analysis and a traceability matrix linking threats to controls
- Complete SBOM in SPDX or CycloneDX format with all components, versions, and provenance data
- Authentication and access control documentation with role-based differentiation
- Encryption protocol documentation covering data at rest and in transit
- Penetration testing, fuzz testing, and vulnerability scan reports with remediation evidence
- Updated postmarket cybersecurity plan covering vulnerability monitoring, patch timelines, and coordinated disclosure procedures
- Updated cybersecurity risk management plan aligned with ISO 14971
Teams that work with a specialized partner like Blue Goat Cyber can complete this package more efficiently because the documentation structure is built around what FDA reviewers expect to see. The format and content standards come from direct experience with medical device cybersecurity 510(k) submissions, which means less time spent second-guessing whether a document will hold up under review. For a deeper dive into the documentation the FDA expects, see A Guide to FDA’s Cybersecurity Documentation Requirements (2025), Blue Goat Cyber.
When a cybersecurity fix requires a new 510(k) instead
The threshold that triggers a new submission
Not every fix to resolve a deficiency is clean. If addressing a cybersecurity gap requires a change that modifies a risk control affecting significant patient safety, alters a core algorithm, or could reasonably affect the device’s safety or effectiveness in a new way, a new 510(k) may be required under 21 CFR 807.81(a)(3). This is a risk-based determination your team must make explicitly, not a default. If you are unsure whether the fix crosses this threshold, review industry guidance on how to tell when a software change requires a new 510(k) and err toward a formal risk assessment before deciding. The cost of filing a new submission is significant, but the cost of modifying a cleared device without a required submission is higher.
Changes you can make without resubmitting
Cybersecurity changes made solely to strengthen an existing control, without introducing new hazards or changing intended use, generally do not require a new 510(k). Adding monitoring capabilities, updating encryption protocols, or improving authentication without altering device function all fall into this category. The key is documenting the decision through a formal risk assessment that evaluates the change against the most recently cleared device configuration. Keep that documentation in your quality system regardless of which path you take. If the decision is ever questioned, the record of how you made it is what protects you.
A fixable problem, handled correctly
A 510(k) cybersecurity deficiency is fixable. The FDA is not rejecting your device; they are asking you to close specific documentation gaps that Section 524B now requires. The manufacturers who navigate this well respond quickly, request clarification meetings early, and build their evidence packages around what the guidance actually specifies. The ones who struggle either wait too long to start or try to patch a submission that had fundamental gaps in threat modeling or SBOM documentation, and no credible postmarket plan.
If your team is facing a 510k deficiency letter for cybersecurity and needs to move efficiently, Blue Goat Cyber focuses exclusively on medical device cybersecurity compliance. The team can assess exactly what your response needs before you spend time building the wrong thing, starting with a gap assessment call to map your deficiencies against what the FDA’s guidance requires. For additional perspective on industry best practices and expert insights, see Navigating the Cybersecurity Landscape for MedTech Innovators: Key Insights from the Experts, Blue Goat Cyber. The 180-day clock starts the moment the letter arrives. The sooner you have a clear plan, the better your outcome. Reach out to FDA Cybersecurity Deficiency Response, Blue Goat Cyber directly to get started.
Related: Medical Device Cybersecurity: A Complete Lifecycle Guide